ECRI Institute Releases Guidance on How to Protect Your Medical Device Systems

The ECRI Institute released new guidance in its article: “Ransomware Attacks: How to Protect Your Medical Device Systems” on May 18, 2017.  The report recommends various protective actions for hospitals to take and points to critical differences in the protection of medical device systems as opposed to general hospital systems.

According to the report, ransomware makes data, software, and IT assets unavailable to users.  The report describes ransomware as using the encryption of data to hold systems hostage, where the hacker promises to give the victims access to their data if a ransom is paid.  One previous ransomware example reported on the Knobbe Medical Device Blog was the WannaCry virus, a ransomware that caused disruptions for several hospitals in the United Kingdom.  The International Business Times reported that security researchers had found that the WannaCry ransomware was not limited to computers but also capable of exploiting medical devices.

The ECRI Institute report explains that an IT department can use new security patches for some medical device systems; however, some systems will remain susceptible because they are based on an older version of an operating system and can’t be upgraded or they have not been validated for clinical use with the latest security patches. 

The report includes a list of dos and don’ts for quickly responding to emerging threats.  The “Dos” mentioned in the report include:

  • Identify medical devices, servers or workstations that may be affected.
  • Contact the device vendor. 
  • Request written copies of the manufacturer’s recommended actions for dealing with a current ransomware threat. 

The “Don’ts” mentioned in the report include:

  • Don’t overreact.
  • Don’t install unvalidated patches.  Unvalidated patches can make medical devices faulty or inoperable.  Ask the manufacturer for documentation of the validation.

The ECRI Institute is a nonprofit organization that has its U.S. headquarters in Plymouth Meeting, Pennsylvania.

April White
April White is an associate in our San Diego office. Prior to joining the firm, Ms. White attended law school at the University of San Diego School of Law. While in law school, Ms. White was an editor for the San Diego Law Review. Prior to her legal education, she received a Bachelor of Science in Mechanical Engineering from the University of Louisville. Ms. White joined the firm in 2015.
Click here to read full bio
View all posts published by April White »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.